Objective-See's Bloghttps://www.objective-see.com
OS X security :)When Disappearing Messages Don't Disappearhttps://objective-see.com/blog/blog_0x2E.html
Did you know on macOS, notifications are stored in a unencrypted database? Which means that even 'disappearing' messages from apps such as Signal - may not really disappear. Yikes! https://objective-see.com/blog/blog_0x2E.htmlAn Insecurity in Apple's Security Framework?https://objective-see.com/blog/blog_0x2D.html
Turns out that writing security tools is a great way to inadvertently uncover bugs in macOS. How about a crash in Apple's 'Security' framework ... that can't be good!? https://objective-see.com/blog/blog_0x2D.htmlWho Moved My Pixels?!https://objective-see.com/blog/blog_0x2C.html
In this guest blog post my friend Mikhail Sosonkin reverses Apple's screencapture utility, discusses Mac malware that captures desktop images, and suggests methods for screen-capture detection!https://objective-see.com/blog/blog_0x2C.htmlA Surreptitious Cryptocurrency Miner in the Mac App Store?https://objective-see.com/blog/blog_0x2B.html
Turns out the innocuously named "Calendar 2" app, found on the official Mac App Store, was surreptitiously turning Mac into cryptocurrency miners!https://objective-see.com/blog/blog_0x2B.htmlTearing Apart the Undetected (OSX)Coldroot RAThttps://objective-see.com/blog/blog_0x2A.html
I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemshttps://objective-see.com/blog/blog_0x2A.htmlAnalyzing OSX/CreativeUpdaterhttps://objective-see.com/blog/blog_0x29.html
Recently, the popular MacUpdate website was subverted to distribute a new macOS cryptominer; OSX/CreativeUpdater.https://objective-see.com/blog/blog_0x29.htmlAnalyzing CrossRAThttps://objective-see.com/blog/blog_0x28.html
The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its persistence mechanisms, features, and network communications.https://objective-see.com/blog/blog_0x28.htmlAn Unpatched Kernel Bughttps://objective-see.com/blog/blog_0x27.html
On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding that Apple's AMDRadeonX4150 kext is responsible for the crash.https://objective-see.com/blog/blog_0x27.htmlAy MaMi - Analyzing a New macOS DNS Hijackerhttps://objective-see.com/blog/blog_0x26.html
OSX/MaMi (the first Mac malware of 2018) hijacks infected users' DNS settings and installs a malicious certificate into the System keychain, in order to give remote attackers 'access' to all network traffichttps://objective-see.com/blog/blog_0x26.htmlAll Your Docs Are Belong To Ushttps://objective-see.com/blog/blog_0x22.html
Here, we reverse, then 'extend' a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents will be automatically detected!https://objective-see.com/blog/blog_0x22.htmlMac Malware of 2017https://objective-see.com/blog/blog_0x25.html
Let's look at all the mac malware from 2017, for each - discussing their infection vector, persistence mechanism, features & goals.https://objective-see.com/blog/blog_0x25.htmlWhy _blank_ Gets You Roothttps://objective-see.com/blog/blog_0x24.html
Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the root account with a blank, or password, of their choosing!https://objective-see.com/blog/blog_0x24.htmlFrom the Top to the Bottom; Tracking down CVE-2017-7149https://objective-see.com/blog/blog_0x23.html
High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.https://objective-see.com/blog/blog_0x23.htmlHigh Sierra's 'Secure Kernel Extension Loading' is Brokenhttps://objective-see.com/blog/blog_0x21.html
A new 'security' feature in macOS 10.13, is trivial to bypass.https://objective-see.com/blog/blog_0x21.htmlWTF is Mughthesec!? poking on a piece of undetected adwarehttps://objective-see.com/blog/blog_0x20.html
Some undetected adware named "Mughthesec" is infecting Macs...let's check it out!https://objective-see.com/blog/blog_0x20.htmlOSX/MacRansom; analyzing the latest ransomware to target macshttps://objective-see.com/blog/blog_0x1E.html
Looks like somebody on the 'dark web' is offering 'Ransomware as a Service'...that's designed to infect Macs!https://objective-see.com/blog/blog_0x1E.htmlOSX/Proton.B; a brief analysis, 6 miles uphttps://objective-see.com/blog/blog_0x1F.html
Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware's capabilitieshttps://objective-see.com/blog/blog_0x1F.htmlHandBrake Hacked! OSX/Proton (re)Appearshttps://objective-see.com/blog/blog_0x1D.html
The website of a popular application was hacked, and the application trojaned with a new variant of osx/proton.https://objective-see.com/blog/blog_0x1D.htmlTwo Bugs, One Func(), part threehttps://objective-see.com/blog/blog_0x1C.html
Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.https://objective-see.com/blog/blog_0x1C.htmlTwo Bugs, One Func(), part twohttps://objective-see.com/blog/blog_0x1B.html
Apple's 'fix' for a macOS kernel panic, fixes nothing and worse, introduces a new bug.https://objective-see.com/blog/blog_0x1B.htmlTwo Bugs, One Func(), part onehttps://objective-see.com/blog/blog_0x1A.html
The macOS kernel had an (intentional?) off-by-one bug that could trigger a kernel panic.https://objective-see.com/blog/blog_0x1A.htmlHappy Birthday to Objective-Seehttps://objective-see.com/blog/blog_0x19.html
Today is our 2nd birthday! Let's look at our past, present, and future.https://objective-see.com/blog/blog_0x19.htmlFrom Italy With Love?https://objective-see.com/blog/blog_0x18.html
Reverse-engineering a 'Russian' implant reveals HackingTeam's code!?https://objective-see.com/blog/blog_0x18.htmlNew Attack, Old Trickshttps://objective-see.com/blog/blog_0x17.html
A Word document targets Mac users with malicious macros and an open-source payload.https://objective-see.com/blog/blog_0x17.htmlMac Malware of 2016https://objective-see.com/blog/blog_0x16.html
Let's analyse the malware that appeared in 2016, discussing the infection vector, persistence mechanism, feature, and disinfection for each.https://objective-see.com/blog/blog_0x16.html'Untranslocating' an Apphttps://objective-see.com/blog/blog_0x15.html
Apple's App Translocation broke several of my tools, but we can locally undo it to restore broken functionality!https://objective-see.com/blog/blog_0x15.html[0day] Bypassing Apple's System Integrity Protectionhttps://objective-see.com/blog/blog_0x14.html
Read how an attacker can bypass Apple's SIP, via the local OS upgrade processhttps://objective-see.com/blog/blog_0x14.htmlForget the NSA, it's Shazam that's always listening!https://objective-see.com/blog/blog_0x13.html
Does Shazam's Mac App keep recording even when you turn the app off? ...yes :/https://objective-see.com/blog/blog_0x13.htmlClick File, App Openshttps://objective-see.com/blog/blog_0x12.html
The 'Mac File Opener' adware is fairly normal, except for it how it persists via registered document handlershttps://objective-see.com/blog/blog_0x12.htmlPersisting via a Finder Synchttps://objective-see.com/blog/blog_0x11.html
Learn how a Finder Sync can 'extend' Finder.app and how this could be abused for persistencehttps://objective-see.com/blog/blog_0x11.htmlAre you from the Mac App Store?https://objective-see.com/blog/blog_0x10.html
How to verify that an application came from the official Mac App Store, via receipt validationhttps://objective-see.com/blog/blog_0x10.htmlTowards Generic Ransomware Detectionhttps://objective-see.com/blog/blog_0x0F.html
By monitoring file I/O events and detecting the rapid creation of encrypted files by untrusted processes, can ransomware be generically detected?https://objective-see.com/blog/blog_0x0F.htmlAnalysis of an Intrusive Cross-Platform Adware; OSX/Pirrithttps://objective-see.com/blog/blog_0x0E.html
In Objective-See's first guest blog post, Amit Serper presents his detailed analysis of OSX/Pirrithttps://objective-see.com/blog/blog_0x0E.htmlHackingTeam Reborn; A Brief Analyis of the RCS Implant Installerhttps://objective-see.com/blog/blog_0x0D.html
HackingTeam using native OS X crypto to protect malware -neat! New blog w/ sample + decryptions/dumpings/detectionshttps://objective-see.com/blog/blog_0x0D.htmlAnalyzing the Anti-Analysis Logic of an Adware Installerhttps://objective-see.com/blog/blog_0x0C.html
Dissecting string obfuscations, junk code insertions, and anti-debugging logic of InstallCorehttps://objective-see.com/blog/blog_0x0C.htmlMonitoring Process Creation via the Kernel (Part III)https://objective-see.com/blog/blog_0x0B.html
Getting process creation notifcations from kernel-mode to user-mode, via the undocumented kev_msg_post functionhttps://objective-see.com/blog/blog_0x0B.htmlMonitoring Process Creation via the Kernel (Part II)https://objective-see.com/blog/blog_0x0A.html
Process monitoring via the KAuth Subsystem (and some limitations)https://objective-see.com/blog/blog_0x0A.htmlMonitoring Process Creation via the Kernel (Part I)https://objective-see.com/blog.html#blogEntry9
Why BlockBlock needs a kext (hint: process monitoring), and how the kext was createdhttps://objective-see.com/blog.html#blogEntry9Kernel Debugging a Virtualized OS X El Capitan Imagehttps://objective-see.com/blog.html#blogEntry8
How to remotely kernel-debug a OS X 10.11 VMhttps://objective-see.com/blog.html#blogEntry8Reversing to Engineer: Learning to 'Secure' XPC from a Patchhttps://objective-see.com/blog.html#blogEntry7
How reversing Apple's 'RootPipe' patch provided the means to secure TaskExplorer's XPC servicehttps://objective-see.com/blog.html#blogEntry7Building HackingTeam's OS X Implant For Fun & Profithttps://objective-see.com/blog.html#blogEntry6
How to build HackingTeam's OS X implant in Xcodehttps://objective-see.com/blog.html#blogEntry6CVE-2015-3673: Goodbye Rootpipe...(for now?)https://objective-see.com/blog.html#blogEntry5
Details on bypassing Apple's original rootpipe patchhttps://objective-see.com/blog.html#blogEntry5More on, "Adware for OS X Distributes Trojans"https://objective-see.com/blog.html#blogEntry4
A deeper dive into 'MacInstaller' and the adware it installshttps://objective-see.com/blog.html#blogEntry4Phoenix: RootPipe lives! ...even on OS X 10.10.3https://objective-see.com/blog.html#blogEntry3
Exploiting RootPipe on OS X 10.10.3https://objective-see.com/blog.html#blogEntry3Dylib Hijack Scanner Releasedhttps://objective-see.com/blog.html#blogEntry2
Announcing the release of DHS; a tool to help detect (dylib) hijackershttps://objective-see.com/blog.html#blogEntry2Website Launchhttps://objective-see.com/blog.html#blogEntry1
NSLog(@"Hello World"); Objective-See.com is alive!https://objective-see.com/blog.html#blogEntry1